Hotels rely on an intricate network of third-party vendors and suppliers to support reservations, payment processing, property management, etc. While these relationships are necessary for great guest service, they also create new opportunities for cyberattacks. If a bad actor successfully infiltrates a third-party vendor, they can take advantage of network connections to go after hotels, stealing data, taking vital systems offline, or launching other attacks.
Clearly, hotels can’t simply sever ties with all third parties, but there are steps you can take to close the gaps and protect your organization (and guests) from bad actors.
Here’s a look at how cybercriminals exploit third-party connections to launch cyberattacks on hotels—and what you can do to bolster your defenses.
Infected POS Software Gives Hackers a Gateway to Hotels’ (and their Customers’) Data
Hotels use point-of-sale (POS) terminals every day to complete transactions with hundreds of customers from the front desk to spas, restaurants, and gift shops. If hackers successfully compromise a hotel’s POS terminals, they can not only bring operations to a halt but use it as a channel to steal valuable guest and employee data.
Consider: A hacker breaches a POS provider’s network, perhaps by exploiting a known vulnerability or using stolen login credentials. Once they’ve gained access, they infect the POS software with malware. Unaware of the breach, the provider pushes out a software update to its network of hotels, potentially reaching hundreds of organizations and corrupting thousands of POS terminals. Thanks to the widely deployed malware, hackers now have access to hotels’ employees’ and guests’ data, e.g., credit card numbers, addresses, passports, and other personally identifiable information to sell on the dark web.
Data breaches are always a headache for organizations, but they’re extra costly when they come from a third-party vendor. In fact, according to IBM’s Cost of a Data Breach Report 2024, “a data breach originating through a business partner costs nearly 12% more than other types of data breaches.” But the cost goes beyond the hard numbers. After a data breach, a hotel’s reputation can take years to recover. Plus, it’s the hotel that gets slapped with stiff regulatory fines as they’re the party interacting directly with customers and thus responsible for safeguarding their data.
Phishing Schemes Give Hackers Direct Access to Property Management Systems
Even without deploying malware on hotels’ devices, threat actors can still find ways to get to hotels’ data via third-party vendors. Sometimes, all it takes is a simple email or old-fashioned phone call.
For example, suppose a hacker wants to get their hands on guests’ personally identifiable information, which is stored on a hotel’s property management system (PMS). By using phishing tactics, cybercriminals can pose as a hotel’s PMS vendor and trick employees into handing over login credentials or granting remote systems access. They may send an email using a domain similar to that of the real PMS vendor or call the front desk and pose as a PMS representative. Often, hackers will employ scare tactics to get employees to act fast, e.g., pressuring them to immediately download an important “security update.”
Today, artificial intelligence and deepfake technology make it easier for hackers to carry out phishing attacks with eerie accuracy. In fact, even the CEO of Zscaler recently issued a warning about deepfake-enabled phishing attacks after hackers used his voice to successfully scam his own staff. Meanwhile, another recent industry report revealed that 82% of phishing toolkits sold on the dark web now mention deepfakes, and almost three-quarters, AI.
Unsecured APIs Give Attackers Access to Managed Service Providers—and then Hotels
Another way hackers can go after hotels’ data is through their managed service providers (MSPs) whom hoteliers turn to for IT or cloud services.
Like other third-party providers, MSPs are productive attack channels for bad actors because, if successfully breached, they can be a link to dozens if not hundreds of hotels. Rather than going after one hotel directly, this kind of third-party cyberattack lets hackers maximize damage.
To target hotels, attackers first infiltrate the MSP, which they can do by taking advantage of vulnerabilities in the MSP’s infrastructure, such as weak security controls or unpatched software. From there, they identify and exploit unsecured APIs that the MSP uses to connect to hotels’ management systems. Once inside, cybercriminals deploy ransomware, steal guest data, or otherwise disrupt operations, like corrupting smart devices to lock guests out of rooms.
If hotels want to calculate the risks of third-party cyberattacks, look to the integrity of MSPs. New data from a 2024 Hybrid Security Trends Report says 76% of MSPs identified a cyberattack on their infrastructure in the last year.
How to Protect Your Hotel from Third-Party Cybersecurity Risks
With vital integrations connecting hotels to dozens of third parties, the potential for risk is plentiful—but hoteliers can dramatically improve their cybersecurity defenses with a few strategies.
First, to combat phishing schemes, prioritize cybersecurity education. Mandate cybersecurity training across your organization and conduct regular exercises to teach employees how to detect and defect phony emails and phone calls.
To mitigate the impact of POS malware, isolate POS systems from other devices to prevent lateral movement. In the event of breaches via MSPs or other vendors, network segmentation can further help limit hackers’ access. Other best practices include preparing incident response plans and implementing a zero trust security architecture.
In the face of rising threats, the best defense is community support. Turn to other hotels and hospitality organizations via industry groups like RH-ISAC, the global, retail- and hospitality-focused cyber intelligence sharing community, whose new LinkSECURE program delivers cybersecurity support for small- to mid-size vendors and service providers with limited IT or cyber resources to help mature their cybersecurity operations. The program matches every member with a success manager who evaluates their cybersecurity posture and walks them step-by-step through the critical security controls and safeguards.
Stay safe out there!
